Binary Edwards Curves Daniel J. Bernstein Tanja Lange University - - PowerPoint PPT Presentation

Binary Edwards Curves

Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 1

Harold M. Edwards

Edwards generalized single example x2 + y2 = 1 − x2y2 by Euler/Gauss to whole class

• f curves.

Shows that – after some field extensions – every elliptic curve

• ver field k of odd characteristic

is birationally equivalent to a curve of the form

x2 + y2 = a2(1 + x2y2), a5 = a

Edwards gives addition law for this generalized form, shows equivalence with Weierstrass form, proves addition law, gives theta parameterization . . . in his paper Bulletin of the AMS, 44, 393–422, 2007

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 2

How to add on an Edwards curve

Let k be a field with 2 = 0. Let d ∈ k with d = 0, 1. Edwards curve:

{(x, y) ∈ k × k|x2 + y2 = 1 + dx2y2} y x

• Generalization covers more curves over k.

Associative operation on points

(x1, y1) + (x2, y2) = (x3, y3)

defined by Edwards addition law

x3 = x1y2 + y1x2 1 + dx1x2y1y2

and y3 =

y1y2 − x1x2 1 − dx1x2y1y2 .

Neutral element is (0, 1); this is an affine point.

−(x1, y1) = (−x1, y1). (0, −1) has order 2; (1, 0) and (−1, 0) have order 4.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 3

Relationship to Weierstrass form

Every elliptic curve with point of order 4 is birationally equivalent to an Edwards curve. Let P4 = (u4, v4) have order 4 and shift u s.t. 2P4 = (0, 0). Then Weierstrass form:

v2 = u3 + (v2

4/u2 4 − 2u4)u2 + u2 4u.

Define d = 1 − (4u3

4/v2 4).

The coordinates x = v4u/(u4v), y = (u − u4)/(u + u4) satisfy

x2 + y2 = 1 + dx2y2.

Inverse map u = u4(1 + y)/(1 − y), v = v4u/(u4x). Finitely many exceptional points. Exceptional points have v(u + u4) = 0. Addition on Edwards and Weierstrass corresponds.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 4

Nice features of the addition law

Neutral element of addition law is affine point, this avoids special routines (for (0, 1) one of the inputs or the result). Addition law is symmetric in both inputs.

P + Q = x1y2 + y1x2 1 + dx1x2y1y2 , y1y2 − x1x2 1 − dx1x2y1y2

• .
• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 5

Nice features of the addition law

Neutral element of addition law is affine point, this avoids special routines (for (0, 1) one of the inputs or the result). Addition law is symmetric in both inputs.

P + Q = x1y2 + y1x2 1 + dx1x2y1y2 , y1y2 − x1x2 1 − dx1x2y1y2

• .

[2]P = x1y1 + y1x1 1 + dx1x1y1y1 , y1y1 − x1x1 1 − dx1x1y1y1

• .
• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 5

Nice features of the addition law

Neutral element of addition law is affine point, this avoids special routines (for (0, 1) one of the inputs or the result). Addition law is symmetric in both inputs.

P + Q = x1y2 + y1x2 1 + dx1x2y1y2 , y1y2 − x1x2 1 − dx1x2y1y2

• .

[2]P = x1y1 + y1x1 1 + dx1x1y1y1 , y1y1 − x1x1 1 − dx1x1y1y1

• .

No reason that the denominators should be 0. Addition law produces correct result also for doubling.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 5

Nice features of the addition law

Neutral element of addition law is affine point, this avoids special routines (for (0, 1) one of the inputs or the result). Addition law is symmetric in both inputs.

P + Q = x1y2 + y1x2 1 + dx1x2y1y2 , y1y2 − x1x2 1 − dx1x2y1y2

• .

[2]P = x1y1 + y1x1 1 + dx1x1y1y1 , y1y1 − x1x1 1 − dx1x1y1y1

• .

No reason that the denominators should be 0. Addition law produces correct result also for doubling. Unified group operations!

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 5

Complete addition law

If d is not a square the denominators 1 + dx1x2y1y2 and

1 − dx1x2y1y2 are never 0; addition law is complete.

Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P. Addition works to add P and −P. Addition just works to add P and any Q. Only complete addition law in the literature. No exceptional points, completely uniform group

• perations.

Having addition law work for doubling removes some checks from the code and gives SCA protection (might leak Hamming weight, though).

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 6

Fast addition law

Very fast point addition 10M + 1S + 1D. (Even faster with Inverted Edwards coordinates.) Dedicated doubling formulas need only 3M + 4S. Fastest scalar multiplication in the literature. For comparison: IEEE standard P1363 provides “the fastest arithmetic on elliptic curves” by using Jacobian coordinates on Weierstrass curves. Point addition 12M + 4S. Doubling formulas need only 4M + 4S. For more curve shapes, better algorithms (even for Weierstrass curves) and many more operations (mixed addition, re-addition, tripling, scaling,. . . ) see www.hyperelliptic.org/EFD for the Explicit-Formulas Database.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 7

Edwards Curves – a new star(fish) is born

lecture circuit: Hoboken Turku Warsaw Fort Meade, Maryland Melbourne Ottawa (SAC) Dublin (ECC) Bordeaux Bristol Magdeburg Seoul Malaysia (Asiacrypt) Madras Bangalore (AAECC) . . . Washington (CHES)

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 8

One year passes . . .

. . . I feel so odd . . .

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 9

Exceptions, 2 = 0 . . .

Even characteristic much more interesting for hardware . . .

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 10

Exceptions, 2 = 0 . . .

Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 10

How to design a worthy binary partner?

Our wish-list (early February 2008) after studying and experimenting with mostly small modifications of odd Edwards: A binary Edwards curve should be elliptic. look like an Edwards curve. have a complete addition law. cover most (all?) ordinary binary elliptic curves. have an easy to compute negation. have efficient doublings. have efficient additions.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 11

How to design a worthy binary partner?

Our wish-list (early February 2008) after studying and experimenting with mostly small modifications of odd Edwards: A binary Edwards curve should be elliptic. look like an Edwards curve. have a complete addition law. cover most (all?) ordinary binary elliptic curves. have an easy to compute negation. have efficient doublings. have efficient additions. be found before the CHES deadline, February 29th.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 11

Binary Edwards curves

Let d1 = 0 and d2 = d2

1 + d1 then

EB,d1,d2 : d1(x + y) + d2(x2 + y2) = xy + xy(x + y) + x2y2,

is a binary Edwards curve with parameters d1, d2. Map (x, y) → (u, v) defined by

u = d1(d2

1 + d1 + d2)(x + y)/(xy + d1(x + y)),

v = d1(d2

1 + d1 + d2)(x/(xy + d1(x + y)) + d1 + 1)

is a birational equivalence from EB,d1,d2 to the elliptic curve

v2 + uv = u3 + (d2

1 + d2)u2 + d4 1(d4 1 + d2 1 + d2 2),

an ordinary elliptic curve in Weierstrass form.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 12

Properties of binary Edwards curves

(x3, y3) = (x1, y1) + (x2, y2) with x3 = d1(x1 + x2) + d2(x1 + y1)(x2 + y2) + (x1 + x2

1)(x2(y1 + y2 + 1) + y1y2)

d1 + (x1 + x2

1)(x2 + y2)

, y3 = d1(y1 + y2) + d2(x1 + y1)(x2 + y2) + (y1 + y2

1)(y2(x1 + x2 + 1) + x1x2)

d1 + (y1 + y2

1)(x2 + y2)

.

if denominators are nonzero. Neutral element is (0, 0); again, this is an affine point.

(1, 1) has order 2. −(x, y) = (y, x). (x1, y1) + (1, 1) = (x1 + 1, y1 + 1).

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 13

Edwards curves over finite fields I F2n

Trace is map Tr : I

F2n → I F2; α → n−1

i=0 α2i.

For any points (x1, y1), (x2, y2) the denominators

d1 + (x1 + x2

1)(x2 + y2) and d1 + (y1 + y2 1)(x2 + y2) are

nonzero if Tr(d2) = 1. In particular, addition formulas can be used to double. Addition law for curves with Tr(d2) = 1 is not only strongly unified but even complete. No exceptional points, completely uniform group

• perations.

These are the first complete binary elliptic curves! Even better every ordinary elliptic curve over I

F2n is

birationally equivalent to a complete binary Edwards curve if n ≥ 3.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 14

Generality & doubling

Nice doubling formulas (use curve equation to simplify)

x3 = 1 + d1 + d2(x2

1 + y2 1) + y2 1 + y4 1

d1 + x2

1 + y2 1 + (d2/d1)(x4 1 + y4 1),

y3 = 1 + d1 + d2(x2

1 + y2 1) + x2 1 + x4 1

d1 + x2

1 + y2 1 + (d2/d1)(x4 1 + y4 1)

In projective coordinates: 2M+ 6S+3D, where the 3D are multiplications by d1,

d2/d1, and d2.

Can choose at least one of these constants to be small

• r use curves where d1 = d2 is possible; then only 2M+

5S+2D for a doubling.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 15

Comparison with other doubling formulas

Assume curves are chosen with small coefficients. System Cost of doubling Projective 7M+4S; see HEHCC Jacobian 4M+5S; see HEHCC Lopez-Dahab 3M+5S; Lopez-Dahab Edwards 2M+6S; new, complete Lopez-Dahab a2 = 1 2M+5S; Kim-Kim Edwards d1 = d2 2M+5S; new, complete Explicit-Formulas Database www.hyperelliptic.org/EFD contains also formulas for characteristic 2; including some speed-ups for non-Edwards coordinates, e.g. 2M + 4S +2D for case considered by Kim-Kim.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 16

Differential addition I

Compute P + Q given P, Q, and Q − P. Represent P = (x1, y1) by w(P) = x1 + y1. Have w(P) = w(−P) = w(P + (1, 1)) = w(−P + (1, 1)). Can double in this representation: Let (x4, y4) = (x2, y2) + (x2, y2). Then

w4 = d1w2

2 + d1w4 2

d2

1 + d1w2 2 + d2w4 2

= w2

2 + w4 2

d1 + w2

2 + (d2/d1)w4 2

If d2 = d1 then

w4 = 1 + d1 d1 + w2

2 + w4 2

.

Projective version takes 1M+3S+2D (or 1M+3S+1D for

d2 = d1).

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 17

Differential addition II

Let (x1, y1) = (x3, y3) − (x2, y2),

(x5, y5) = (x2, y2) + (x3, y3). w1 + w5 = d1w2w3(1 + w2)(1 + w3) d2

1 + w2w3(d1(1 + w2 + w3) + d2w2w3),

w1w5 = d2

1(w2 + w3)2

d2

1 + w2w3(d1(1 + w2 + w3) + d2w2w3).

If d2 = d1 then

w1 + w5 = 1 + d1 d1 + w2w3(1 + w2)(1 + w3), w1w5 = d1(w2 + w3)2 d1 + w2w3(1 + w2)(1 + w3).

Some operations can be shared between differential addition and doubling.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 18

Differential addition III

Mixed differential addition: w1 given as affine,

w2 = W2/Z2, w3 = W3/Z3 in projective.

general case

d2 = d1

mixed diff addition 6M+1S+2D 5M+1S+1D mixed diff addition+doubling 6M+4S+4D 5M+4S+2D projective diff addition 8M+1S+2D 7M+1S+1D projective diff addition+doubling 8M+4S+4D 7M+4S+2D Note that the new diff addition formulas are complete. Lopez and Dahab use 6M+5S for mixed dADD&DBL. Stam uses 6M+1S for projective dADD; 4M+1S for mixed dADD addition; and 1M+3S+1D for DBL. Gaudry uses 5M+5S+1D for mixed dADD&DBL.

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 19

Operation counts

These curves are the first binary curves to offer complete addition laws. They are also surprisingly fast: ADD on binary Edwards curves takes 21M+1S+4D, mADD takes 13M+3S+3D. For small D and d1 = d2 much better: ADD in 16M+1S. Differential addition takes 8M+1S+2D; mixed version takes 6M+1S+2D. Differential addition+doubling (typical step in Montgomery ladder) takes 8M+4S+2D; mixed version takes 6M+4S+2D. See our paper and the EFD for full details, speedups for

d1 = d2, how to choose small coefficients, affine formulas,

. . .

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 20

Operation counts

These curves are the first binary curves to offer complete addition laws. They are also surprisingly fast: ADD on binary Edwards curves takes 21M+1S+4D, mADD takes 13M+3S+3D. For small D and d1 = d2 much better: ADD in 16M+1S. Differential addition takes 8M+1S+2D; mixed version takes 6M+1S+2D. Differential addition+doubling (typical step in Montgomery ladder) takes 8M+4S+2D; mixed version takes 6M+4S+2D. See our paper and the EFD for full details, speedups for

d1 = d2, how to choose small coefficients, affine formulas,

. . . (only updates, no patents, pending).

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 20

Happy End!

• D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2

– p. 21